8 risk-related questions CIOs should ask

Here's the scenario, you (as CIO) are approached to approve the latest round of technology spending. Here are eight key questions you should be asking, and why:

1. Will this enable me to collaborate? Collaboration is a strategic direction for most businesses, whether it's B2B, B2C, Peer to Peer, the joint venture or strategic partnerships. The key to true collaboration is to be able to see and work on the same data.

2. Will this be secure if I connect it directly to the Internet? Since all your existing systems are probably not ready to be connected to the Internet, you will still operate a security perimeter. What you don't want to do is then to tunnel all external collaborators through that security perimeter. The correct way is to architect for connection to the Internet, and then everyone simply connects directly via the Internet whether they are inside your organisation or outside.

3. Can someone we don't employ get access to this the same way our staff do? The last thing you want to do is to manage hundreds, maybe thousands of people who you do not employ with user credentials. Systems must be designed to accept user credentials from a variety of sources that you probably don't manage, and then be able to use those credentials as one of the factors when deciding whether to grant access to the system and the data.

4. If data is lost, will I find my company on the front page of the national paper? The basic rule here is data should be encrypted when in transit and at rest. So you need to find out whether all the protocols in use are secure and are all backups encrypted.

5. How will I know if someone has tampered with the data? With lots of people you don't know accessing your data, it's important to understand the data model and how you ensure that people have the right access to the right data. How can you spot that someone has accidentally changed the mark-up formula on that bid-spreadsheet from +25 per cent to -25 per cent, for instance?


6. Will it easily interconnect with our key business partners? If collaboration is going to be easier, you need to understand and agree the secure standards by which the collaboration will happen. This is more important when multiple parties are involved. Generally you do not want to re-key data, or try and maintain and synchronise multiple sources of data.

7. How did you translate the risk appetite of the board for this system? Often, the first you know about a new strategic joint venture is when the press release goes to the city. Connecting the systems so you can collaborate carries a set of risks the board probably did not understand. Your job is often to balance those risks, but validate the risk assumptions that your people have made.

8. Has the vendor built security in or do I need additional parts to make it secure?

If the system as sold has security built in as sold, rather than bolted-on, then it provides a significantly better overall security model. When security is built in, it's generally friendlier for end-users to use, rather than to navigate all those extra layers of security you've had to bolt on.

Paul Simmonds is a steering committee member of the Jericho Forum, a group of senior IT security offices working together to help business succeed.

Pic: william.neuheisel cc2.0